The example in this task shows how to block the IP traffic from a host with an IP address of 12.0.0.100. See Basic SEFOS Topology for the topology for this task.
The filter type can be extended or standard. Standard filters filter the traffic based on the source IP address and the destination IP address. Extended filters can also specify the protocol ID, TCP/UDP port numbers, DSCP values, and flow label. In this example, the IP packets with 12.0.0.100 as the source address are filtered.
ACL filters filter packets at the hardware based on certain filtering criteria configured or programmed in the switch. The switch examines each packet to determine if it should be blocked or if it should be forwarded based on the configured access lists. Type the following commands on the SEFOS-1 switch.
See Connect to SEFOS.
SEFOS-1# configure terminal SEFOS-1(config)# interface vlan 1 SEFOS-1(config-if)# shutdown SEFOS-1(config-if)# ip address 12.0.0.1 255.0.0.0 SEFOS-1(config-if)# no shutdown SEFOS-1(config-if)# exit SEFOS-1(config)# interface xl-ethernet 0/25 SEFOS-1(config-if)# no shutdown SEFOS-1(config-if)# exit SEFOS-1(config)# interface xl-ethernet 0/26 SEFOS-1(config-if)# no shutdown SEFOS-1(config-if)# exit
SEFOS-1(config)# ip access-list extended 11
SEFOS-1(config-ext-nacl)# deny ip host 12.0.0.100 any SEFOS-1(config-ext-nacl)# end
# ping 12.0.0.17 12.0.0.17 is alive
SEFOS-1(config)# interface xl-ethernet 0/25 SEFOS-1(config-if)# ip access-group 11 in SEFOS-1(config-if)# exit SEFOS-1(config)# vlan 1 SEFOS-1(config-vlan)# ports xl-ethernet 0/25 xl-ethernet 0/26 untagged xl-ethernet 0/25 xl-ethernet 0/26
% Member Ports cannot be added/deleted on Default VLAN SEFOS-1(config-vlan)# end
SEFOS-1# show access-lists ... IP address Type : IPV4 ... In Port List : X10/25 ... Filter Action : Deny Status : Active
Packets sent from host A are not forwarded to port 26 because the filter action is set to deny. The ping to 12.0.0.17 from host A fails with no answer from 12.0.0.17.
SEFOS-1# configure terminal SEFOS-1(config)# interface xl-ethernet 0/25 SEFOS-1(config-if)# no ip access-group 11 in SEFOS-1(config-if)# end SEFOS-1# show access-lists ... Status : InActive
The ping is answered from host B. Packets sent from host A are forwarded to port 26. The following two consecutive ping commands show that the deny filter action set in the ACL list was applied to one port and was removed from another port.
# ping 12.0.0.17 no answer from 12.0.0.17 # ping 12.0.0.17 12.0.0.17 is alive